Skip to main content

[EA-8307] Update ea-apache24 to 2.4.39 for CVE-2019-0211

Comments

26 comments

  • cPanelMichael
    Hello @Augusto Florentino, We're aware of the security report and plan to publish the patched Apache version as part of internal case EA-8307. I'll monitor the case and update this thread as soon as it's published. Thanks! Update: Hello Everyone, The updated EA4 packages were just published: Thank you. Edit 1: Updated CloudLinux blog link to reflect package availability on their stable EA4 repo.
    0
  • WebJIVE
    Yeah, this has to get patched pretty quick.
    0
  • Domenico
    Is Apache (2.4.38-3.3.1.cpanel) used with current cPanel vulnerable? Apache HTTP 2.4.17 to 2.4.38 is vulnerable to a local root exploit when mod_prefork, mod_worker and mod_event are used: Apache HTTP Server Project
    0
  • niceboy
    Do we have any updates on this? Seems to be a critical vulnerability.
    0
  • gPowerHost
    How much longer will this update take? Are we talking hours or days?
    0
  • cPanelMichael
    How much longer will this update take? Are we talking hours or days?

    It's tentatively scheduled for publication later today. I'll update this thread with more information as soon as it's available. Thank you.
    0
  • Marcio Vecchi
    We are waiting for the update, because we are worried about the vulnerabilities
    0
  • sneader
    For those of you using CloudLinux, see this thread, for how you can update now: CVE-2019-0211 Apache HTTP Server privilege escalation from modules' scripts
    0
  • nibb
    Why is this taking so long? All cPanel has to do is send the patch down from the upstream RHEL. At this point I cannot wait to see how many people are attacking cPanel servers and gaining root access. This security hole is SERIOUS and is already being exploited in the wild. Its 24 hours now and no patch available.
    0
  • Giannis
    Just to have it handy here, if you are using CL you can update using yum update -y ea-apache24* --enablerepo=cl-ea4-testing --exclude=ea-apache24-mod_lsapi
    0
  • nibb
    Just to have it handy here, if you are using CL you can update using yum update -y ea-apache24* --enablerepo=cl-ea4-testing --exclude=ea-apache24-mod_lsapi

    I have CL but I don't feel like I should be enabling a TESTING repo to get a security patch. In particular because cPanel should be sending the patch faster than CloudLinux, at least they should. I want an official release.
    0
  • vacancy
    Updated ea files began to appear on test mirror server. It will start publish in a short time.
    0
  • sparek-3
    I have to say, it's a bit disturbing at the length of time this is taking cPanel to release a fix. Changes to the EA4 Apache repository for this were made yesterday, yet we still don't have any rpms out to the mirrors. But anybody using CloudLinux will have to defer to CloudLinux on this. If you are using CloudLinux, then you are using CloudLinux packaged Apache and PHP. You're not using anything related to cPanel in regards to Apache and PHP. Those of us that aren't using CloudLinux have to depend on cPanel to release these updates.
    0
  • Giannis
    It is just updating apache to 2.4.39
    0
  • FrankS
    Hello @Augusto Florentino, We're aware of the security report and plan to publish the patched Apache version as part of internal case EA-8307. I'll monitor the case and update this thread as soon as it's published. Thanks!

    A update would be nice regarding this.
    0
  • DataCenterGuy
    It's tentatively scheduled for publication later today. I'll update this thread with more information as soon as it's available. Thank you.

    Can we get a status update on the patch being published for the standard kernel? Thanks.
    0
  • cPanelMichael
    Hello Everyone, We're aiming to publish the updated packages today, pending successful build quality tests. I don't have a specific time frame to provide, but I'll update this thread as soon as the new packages are published. Thank you.
    0
  • FrankS
    Hello Everyone, We're aiming to publish the updated packages today, pending successful build quality tests. I don't have a specific time frame to provide, but I'll update this thread as soon as the new packages are published. Thank you.

    I would suggest putting the packages on a beta/experimental repository as they are now. The exploit is rather severe and the only mitigation that I could think of doing is to disable user FTP access and a few other features. It doesn't exactly exclusively mitigate the issue, but it will definitely add a line of defense to the situation.
    0
  • nibb
    Hello Everyone, We're aiming to publish the updated packages today, pending successful build quality tests. I don't have a specific time frame to provide, but I'll update this thread as soon as the new packages are published. Thank you.

    I don't think quality is a concern right now for most users. Those that are updating today are pending over this thread already or checking their servers all the time, those that don't they are not even aware the issue exists. I would rather have a temporary buggy web server, than a root hacked server that makes you lose customers and having to rebuild everything from scratch. Giving this is being exploited as we speak security should trump quality testing right now.
    0
  • FrankS
    Those that are updating today are pending over this thread already or checking their servers all the time, those that don't they are not even aware the issue exists. I would rather have a temporary buggy web server, than a root hacked server that makes you lose customers and having to rebuild everything from scratch.

    Personally this would not be an issue if cpanel streamlined their repositories rather then making a mirror. I have debated manually compiling the patch myself however i'm not entirely sure if that would work with cpanel. For now, to temporarily mitigate the issue I would suggest disabling FTP access and File Manager access so that the users do not have local access on the server. This makes it quite a bit harder to achieve the exploit.
    0
  • sparek-3
    cPanel probably needs to put this in their backend guides titled "How to NOT handle a major security vulnerability" This is a prime example of cPanel having too many irons in the fire given that they are not able to address this issue in a timely manner.
    0
  • dServ
    Thanks for Update.
    0
  • cPanelMichael
    Hello Everyone, The updated EA4 packages were just published: Thank you. Edit 1: Updated CloudLinux blog link to reflect package availability on their stable EA4 repo.
    0
  • Volt55
    The yum method worked nicely for me, quick and easy. Thanks for the support.
    0
  • garconcn
    Will you release Apache update for EA3 since this is critical issue? We still have some EA3 cpanel severs, does not want to convert to EA4.
    0
  • cPanelMichael
    Will you release Apache update for EA3 since this is critical issue? We still have some EA3 cpanel severs, does not want to convert to EA4.

    Hello @garconcn, EasyApache 3 was deprecated on December 31, 2018 and is no longer receiving new updates. Your system must use EasyApache 4 in order to update to cPanel & WHM version 78 or newer (note that version 70 will reach EOL on April 30th). Feel free to open a
    0

Please sign in to leave a comment.